Cybersecurity: Attack and Defense Strategies

Questions and Answers

Which of the following is the primary goal of network segmentation?

• To improve network performance and security. (correct)
• To reduce the number of network devices.
• To eliminate the need for firewalls.
• To increase network complexity.

In a defense-in-depth approach, having multiple layers of security controls can delay an attack.

True (A)

What are the three common types of network segmentation?

Physical, logical, and virtual

The act of splitting a computer network into subnetworks is known as network ______.

segmentation

Match the following security layers with their respective security controls.

Data = Access control list, encryption, rights management Application = Security development lifecycle, application control Host = OS hardening, authentication, patch management, Host IDS Network = Network segmentation, firewall, IPSec

Which of the following is a key benefit of microsegmentation?

Granular access controls enforced by resource identity. (D)

In physical network segmentation, data can flow freely between segmented networks without additional switches or routers.

False (B)

What is a VLAN, and how does it contribute to network security?

Virtual Local Area Network. It logically separates networks, enhancing security.

A __________ attack involves overwhelming a switch with numerous MAC addresses to impair network operations.

MAC flooding

Match the following VLAN segmentation types with their respective focus:

Business objectives = Aligning VLANs with common business goals Level of sensitivity = Creating VLANs based on risk assessments Location = Organizing resources based on geographical locations Security zones = Combining segmentation for specific security purposes

Which protocol is recommended for the secure management of network switches and routers?

SSH (D)

Network Topology Mapper is a basic command-line tool used to graphically discover and map network structures.

False (B)

What is the purpose of a Network Access Control (NAC) system in securing remote access?

To evaluate a remote system prior to allowing access

Using _____________ enforces an additional layer of security before resource access is authorized.

MFA

Match the following remote access security concerns with their respective countermeasures.

Compromised Remote Device = Network Access Control (NAC) Unauthorized Network Access = Multi-Factor Authentication (MFA) Non-Compliant Systems = Quarantine Network Data Transmission Interception = Site-to-Site VPN

What is the key feature of a Site-to-Site VPN?

It establishes a secure channel between two remote networks. (A)

In virtual network segmentation, traffic from one virtual network is visible to other virtual networks by default.

False (B)

Name two security inspections that can be implemented at the virtual switch level using virtual extensions.

Network packet inspection and firewall

In zero trust network all networks are considered__________.

hostile

Match the following cloud service models with the security responsibility.

IaaS = Client secures everything they deploy PaaS = Client configures network security settings for the application layer SaaS = Client configures security settings within the SaaS application

What is a central tenet of the Zero Trust network model?

Assuming threats exist regardless of location. (A)

A zero trust network relies mainly on a single security vendor’s technology.

False (B)

What are four main components in a zero trust network architecture?

Identity provider, a device directory, a conditional policy and an access proxy

With a site-to-site VPN connection, each branch office will not have access to the __________

entire headquarters' main network

Match the hybrid cloud connectivity with their characteristics.

Site-to-site VPN = Simple and provides accepted security Direct route to the cloud = Lower Latency, Higher consistent Performance, Increased Security

What is one security measure that is enabled in the virtual switch?

MAC address spoofing (arp spoofing) prevention (C)

A zero trust network model trusts users based on their credentials.

False (B)

Name one connectivity Approach when implementing a hybrid cloud.

Site-to-site VPN, direct route to the cloud.

The cloud provider is responsible for the __________ in IaaS.

infrastructure

Match the following steps with the Zero Trust network adoption.

Identify and inventory assets = Identify and inventory assets Establish access rules = Define and document how assets interact Determine access conditions = Specify who can access applications Implement active monitoring systems = Implement active monitoring system

In physical network segmentation there are considerations related to __________?

Efficiency and scalability. (A)

MAC Address table keeps information on the IP Address to be used in ethernet frame.

False (B)

What is the final step of Cybersecurity Kill Chain?

Concluding the mission

_____________ is an approach to computer security that attempts to unify endpoint security technology.

NAC

Match the following defense in depth approach layers:

Layer 1 Gate or Fence = Gate or Fence Layer 2 Looked Door = Looked Door Layer 3 Alarm System = Alarm System Layer 4 Digital Safe Box = Digital Safe Box

Which security strategy should a company use to reduce vulnerability levels.

Reduce the time of exposure. (C)

The encryption of the transit on the internet should be done in external networks only.

False (B)

What is a recommendation for Hybrid cloud network security?

Using Cloud network security scan and assessment tools

To get an accurate view of what is currently implemented in the network is a ____________ task to the blue team.

challenging

Match the network segments with their purpose:

Infrastructure and Services = Enumerating all services to identify possible attacks Documents in transit = Protecting by robust encryption Endpoints = Uncovering all attack vectors and plan mitigation efforts accordingly

Flashcards

Network Segmentation

Splitting a computer network into subnetworks, with each being a network segment.

Network segmentation

Act of splitting a computer network into subnetworks.

Defense in depth

Having multiple layers of security controls to protect an asset.

Service Enumeration

Enumerating all services offered by an organization to identify potential attack vectors.

Threat Modeling in Hybrid Environment

Analyzing potential threats and implementing security controls in the hybrid environment.

Protect Documents in Transit

Protecting data with robust encryption and digital signatures while it is being transmitted.

Trusted Platform Module (TPM)

Hardware security module that integrates cryptographic keys into devices.

Microsegmentation

Using policies and permissions to create isolated network segments.

Decoupled from Physical Infrastructure

No need for additional physical devices. Segmentation is software-based.

Virtual LAN network

Dividing a network into isolated segments using VLANs

Network switch

A computer networking device that connects devices together on a computer network

MAC Flooding Attack

Attack that floods a switch with MAC addresses.

VLAN Separation

Separating network logically, not physically.

Network Access Control (NAC)

Evaluates the health and security posture of a remote system before granting network access.

Mandate Security Policy Compliance

Verifies that remote system complies with mandate security policies

Multi-Factor Authentication (MFA)

Two-factor authentication before access is allowed.

Site-to-Site VPN

Enables a secure traffic channel between two remote sites.

Zero Trust Network

All networks are considered untrustworthy and treated as potentially hostile.

Identity Provider

Authenticates and verifies user identities before granting access to resources.

Establish access rules

Defines how assets interact and historical access patterns.

Cloud Shared Responsibilities

Securing IaaS, PaaS, SaaS.

Study Notes

Cybersecurity: Attacking and Defense

• Cybersecurity Kill Chain involves external reconnaissance, system compromise, lateral movement, privilege escalation, and mission conclusion.
• Defense strategies include security policies and network segmentation.

Network Segmentation

• It splits a computer network into subnetworks/segments.
• The network must be segmented and isolated to provide intrusion mitigation mechanisms.
• Types include physical, logical, and virtual.
• Reasons include improved performance and enhanced security.
• Enhanced security example is by ensuring users cannot directly access database servers.

Defense in Depth Approach

• It ensures multiple layers of protection.
• Each layer has specific security controls to delay attacks.
• Sensors in each layer alert users to potential issues.
• Overall purpose is to break the attack kill chain before attackers meet mission objectives.
• Layers include infrastructure and services, documents in transit, endpoints, and microsegmentation.
• Security controls include access control lists, encryption, and rights management.
• Securing multiple layers on the infrastructure involves infrastructure and services to protect from attackers.
• Infrastructure and services can be on-premises or Infrastructure as a Service (IaaS).
• Threat modeling is crucial in hybrid environments with both on-premises and IaaS components.
• Infrastructure security aims to lower vulnerability counts and exploitation costs.
• Multiple layers include physical and logical defenses

Documents in Transit

• All data types are vulnerable when transferred.
• Data requires robust encryption (and digital signatures) in both public and internal networks.
• End-to-end protection should be used for data transmitted.
• Security controls for monitoring and access control are necessary.

Endpoints

• Endpoints include any data-consuming device.
• endpoints can be mobile or IoT devices, and require threat modeling for identifying and mitigating attack vectors.
• Countermeasures include data isolation, Trusted Platform Module (TPM) hardware protection, OS hardening, storage encryption, and Endpoint Detection and Response (EDR) systems.

Microsegmentation

• It uses policies and permissions to create isolated network segments based on resource identity, instead of IP addresses.
• It eliminates the added need physical devices and is software-based through Software-Defined Networking (SDN)
• It allows flexible adaptation without infrastructure changes.
• Micro-segmentation supports the Zero Trust model with granular access controls and independently protects resources regardless of location to prevent attacker movement.

Physical Network Segmentation

• Networks often grow without revisiting security features.
• Establishing network segmentation begins with understanding the logical resource distribution of networks.
• Blue team can select physical network segmentation or Virtual Local Area Network (VLAN), depending on the organization's size.
• Establishing this prevents data flow without another switch or router and provides isolation, but has efficiency and scalability issues.

Background Knowledge About Switches

• Network switches connect devices on a computer network.
• Computers connect to switches via physical ports.
• Switches transfer data from one port to other connected devices.
• Switches learn the Media Access Control address connected to each port.
• This helps with MAC address table entries and Ethernet frame data.

MAC Flooding Attack

• Overwhelms the switch with many false MAC addresses.
• Causes a breach in network traffic.

Virtual Local Area Network (VLAN)

• VLANS provide logical separation, using access points such as routers.
• This helps isolate resources per department within small/medium-sized organizations.
• Virtual LANs could cause access issues if different departments need to access the same file server, which would require specific cross VLAN access.
• Using business objectives, level of sensitivity, location, and security zones you can implement VLAN based on other aspects

VLAN Network Segmentation

• It is best practice to use SSH to manage switches and routers.
• Restrict access to the management interface and disable unused ports.
• Use security capabilities to prevent MAC flooding or port-level security measures like DHCP snooping.
• Always update switch and router firmware plus operating systems.

Network Discovery

• Internal reconnaissance techniques are key to discovering the network structure in the organization.
• Nmap and traceroute can identify network structure.
• Commercial tools like Network Topology Mapper create graphical network structure diagrams plus device location information.

Securing Remote Access

• It is needed when employees work from home or travel.
• Network Access Control (NAC) evaluates remote systems before granting access.
• NAC unifies endpoint security, including antivirus, host intrusion prevention, vulnerability assessment, user/system authentication, and network security enforcement.
• NAC consists of system with latest patches, antivirus enabled, personal firewall enabled, and compliance with mandated security policies.

Securing Remote Access (Diagram Examples)

• On-premises network access control ensures data validity.
• The software is segmented, allowing communication with resources on-premises.
• Firewall isolating remote access users in a VLAN.
• Companies use this in order to restrict the level of access the user has while remotely accessing the data.

Enforcing Security

• Multi-Factor Authentication (MFA) should be used.
• Isolated networks should be used to quarantine computers and remediate minimum access requirements
• This helps scan the computer and apply appropriate remediation access to the corporate network.
• Site-to-Site VPNs enables secure (encrypted and/or signed) traffic channels between two remote sites.
• VPN can work on MAC (lower than IP) layer, with traffic rerouted to VPN networks.
• VPN usually uses IPSec or TLS protocols and has encryption by default (but not always mandatory); data might not be encrypted in transport mode.
• Private communication between network & remote with site-to-site VPN

VPN Example

• A network design shown previously will allow branches firewalls with specific rules upon VPN connection.
• Remote branch is not able to access the entire headquarters, but merely specific segments and must comply with "need to know" principles.

Virtual Network Segmentation

• Employs embedded security in virtual networks/machines (VMs) managed by hypervisors like Virtual Box/VMWare.
• Vendor-agnostic approaches should be utilized.
• An isolated virtual switch ensures that the traffic of one virtual network remain unseen by others
• Routers with multiple virtual network adapters enable communication between two or more virtual networks.
• Firewalls, network packet inspection, and network packet filters, are some security inspections possible at the virtual switch level.
• Inspections allow security before transferring packets to other networks

Network Security

• Originated traffic from one VM goes to another on the corporate network.
• MAC address spoofing (ARP spoofing), DHCP and router guards, plus port ACLs prevent malicious traffic.

Zero Trust Network

• All networks (internal and external) are not trustworthy by nature.
• Assume that threats exist, regardless of the network location.
• Zero trust is much more than technology products, as identity stands as a new perimeter.
• Main components are identity/device directories, posture assessment, context, and proxy with adaptive access

Building a Zero Trust Network

• Identify and take stock of all assets.
• Establish clearly defined data access rules and the method of the data transaction.
• Access verification methods: Identity, device, network, and resources must be established and identified.
• Identify policies and controls, logging levels, and control rules of the traffic between users.
• Establish which applications can access what, and how, along with backend systems for data, and monitor these systems.

Hybrid Cloud Network Security

• Most organizations connect to their cloud sooner or later on a hybrid cloud.
• Possible approaches are site-to-site VPN for direct cloud connectivity and direct route with tools like Azure ExpressRoute.
• VPN provides a simple and universally recognized security.
• The VPN will require additional cost and extra maintenance.
• The cloud provider will manage the underlying infrastructure on the IaaS framework.
• The client, on the other hand, will need to manage security and set up proper network, close unnecessary ports and configure firewalls
• Cloud network security scan and assessment tools (e.g., Microsoft Defender for Cloud) should be utilized.
• Regular network security assessments for hybrid scenarios with integrated on-premises and cloud networks should be conducted.
• Defender for Cloud’s Network Map feature allows virtual network topology and identifies internet-facing VMs.